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Objectives 

Introduce  the  concept  of  critical  success  factors 

Illustrate  the  use  of  critical  success  factors  as  a 
foundation  for  security  management 

Provide  real  world  examples  in  developing  and 
analyzing  critical  success  factors 
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Agenda 
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Summary 
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Field  observation 

Enterprise  security  strategies  are  ineffective  in 
the  long  run  when  they  do  not  focus  on  and 
align  with  organizational  drivers 
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How  do  we  fix  it? 

Base  organizational  strategy  and  security  strategy  on  the 
same  organizational  drivers 

■  Mission  is  good,  but  abstract  and  open  to  interpretation 

■  Goals  are  better,  but  more  operational  in  nature 

•  CSFs  are  more  reliable  and  universal— key 

performance  factors  that  all  levels  of  management  must 
consider 
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Introduction  to  Critical  Success 
Factors 
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CSFs  defined 

The  limited  number  of  areas  in  which  satisfactory  results 

will  ensure  competitive  performance  for  the  organization 

and  enable  it  to  achieve  its  mission 

Key  areas  of  activities 

■  in  which  favorable  results  are  necessary  to  achieve 
goals. 

■  where  things  must  go  right  for  the  organization  to 
flourish. 

■  that  should  receive  constant  attention  from 
management. 
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CSF  examples 

Automobile  industry 

"Meet  federal  energy  standards  for  automobiles." 

County  government 

"Deliver  high-quaiity,  iow-cost  citizen  services." 

Educational  institution 
"Attract  and  retain  high-quality  faculty." 
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CSFs  are  the  glue 


Critical  success  factors 


Mission 


Operational  activities 
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Characteristics  of  CSFs 

Sources  define  the  various  entities  where  CSFs 
originate 

Dimensions  describe  the  properties  of  CSFs 
relative  to  perspective  (internal  vs.  external) 
and  function  (monitoring  vs.  adapting) 

Hierarchy  describes  the  relationship  between 
CSFs  at  the  various  layers  of  an  organization 
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Five  sources  of  CSFs 

Industry  in  which  the  organization  operates 

Organization's  relationship  with  its  peers 

Environmental  factors  that  the  organization 
can't  control 

Temporary  barriers,  challenges  or  problems 
Domain  of  each  layer  of  management 
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Sources  of  CSFs 


[  Industry  CSFs:  ^ 

Peer  CSFs: 

Deliver  on-time  service. 

Continually  reduce  cost 

Move  away  from  hub- 

per  passenger  mile. 

and-spoke  system. 

Attract  merger 

Monitor  the  legal  and 

opportunities. 

regulatory  environment. 

Increase  code  share 

partnerships. 

Organizational  CSFs 


security  issues. 


Environmental  CSFs: 

Management  CSFs: 

Address  the  effects  of 
terrorism. 

Enhance  relationships 
with  new  labor  leadership. 

1 

Temporal  CSFs: 

Enhance  brand  image. 

Address  decrease  in 
customers  due  to 

Control  airline  schedules. 

Optimize  crew 
utilization. 

Manage  budgets. 
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Internal  vs.  External  CSFs 

Internal  CSFs  are  within  the  span  of  control  for 
a  particular  manager 

External  CSFs  are  most  likely  not  controllable  by 
a  particular  manager 

An  awareness  helps  managers  actively  set 
better  goals  and  predict  potential  impacts  when 
CSFs  are  not  achieved 
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Monitoring  vs.  Adapting  CSFs 

Monitoring  CSFs  emphasize  the  continued 
scrutiny  of  existing  situations 

Adapting  CSFs  focus  on  improving  and  growing 
the  organization 

Managers  almost  always  have  monitoring  CSFs 

Adapting  CSFs  most  likely  to  be  confused  with 
goals 
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Hierarchy  of  CSFs 

CSFs  exist  throughout  the  organization  at  every 
management  layer  and  level 
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The  CSF  Method 
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Five  key  activities 

Defining  scope 
Collecting  data 
Analyzing  data 
Deriving  CSFs 
Analyzing  CSFs 
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Organizational  CSF  participants 


Specific  roles. 

■  C-level  executives 

■  Vice-President  and 
director  level 

■  Division  heads 

■  Chief  Legal  Counsel 

■  Corporate  Secretary 

■  VP  Investor  Relations,  M 
&  A,  Marketing  &  Sales, 
PR 

■  Strategic  Planners 


Unique  functions'. 

■  Asset  management 

■  Corporate  reporting  and 
taxes 

■  Risk  Management 

■  Controller  and  treasurer 

■  Government  relations 

■  Select  Board  members 

■  Select  external  personnel 
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Interview  questions  -1 

What  are  the  CSFs  in  your  job  right  now? 

In  what  1,  2,  or  3  areas  would  failure  hurt  you  most? 

In  what  area  would  you  hate  to  see  something  go  wrong? 

Assume  you  are  placed  in  a  dark  room  with  no  access  to 
the  outside  world.  What  would  you  most  want  to  know 
about  the  organization  when  you  emerged  three  months 
later? 
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Interview  questions  -2 

What  is  your  personal  mission  and  role  in  the 
organization? 

What  are  your  most  critical  goals  and  objectives? 

What  are  your  three  greatest  business  problems  or 
obstacles? 
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Deriving  CSFs 


CSFs  are  pulled  from 
supporting  themes 


^  Documents 


!  Interview  notes 


So  long  as  the  process  is 
followed,  supporting  themes 
should  be  all  that  is  needed 
to  derive  a  CSF 


Activity  Statements 

i 

1 

Affinity  Groups  J  [Affinity  Groups  ^ 

Affinity  Groups  J 

Summary 

Summary 

Summary 

Summary 

Summary 

Themes 

Themes 

Themes 

Themes 

Themes 

III 

CSF 


CSF 
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CSF  approach  advantages 

Guarantee  alignment  with  organizational  drivers 
Reduce  organizational  ambiguity 
Dependable  guiding  force/target  for  the  organization 
Reflect  current  operating  environment  of  the  organization 
Reflect  management's  risk  perspective 
Course  correction 
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Applying  CSFs  to  Enterprise  Security 
Management 
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Areas  of  promise  using  CSFs 

As  a  tool  for  information  security  risk 
management 

Providing  impetus  for  managing  security  as  a 
process  throughout  the  organization 

Foundation  for  enterprise  resiliency 
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CSFs  can  enhance  ISRM 

Determining  risk  assessment  scope 
Seiecting  criticai  assets  for  assessment 
Identifying  and  validating  security  requirements 
Identifying  risks  to  critical  assets 
Setting  evaluation  criteria  for  measuring  risk 
Evaluating  threats  and  mitigating  risk 
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Using  CSFs  to  set  scope 

Most  important  and  difficult  task  in  risk 
assessment 

Failure  to  focus  a  risk  assessment  on  the  right 
areas  of  the  organization  will  not  yield 
meaningful  results 

Using  affinity  analysis,  focus  on  those  areas  that 
are  most  important  to  accomplishing  the 
organization's  mission 
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Scope  example 


O  rg  a  nizal j  o  na  II  Depa  rt m  e  n  ts 

Human  Resources 
Legal 

Controller's 
Internal  Auditing 
Government  Affairs 
Research  fir  Development 
Information  Technology 
Public  Affairs 
Marketing 
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This  intersection  indicates 
that  that  the  work  of  the 
Human  Resources 
department  is  a  primary  factor 
in  achieving  the"develop 
human  resources'TSF. 


J? 


These  intersections  indicate 
that  all  departments  play  an 
important  part  in  meeting  the 
''maximize  teamwork''  CSF. 


This  intersection  lacks  a 
relationship.This  indicates 
that  the  work  of  the  R  &  D 
department  has  no  apparent 
connection  to  achieving  the 
"manage  compliance'' CSF. 
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CSFs  and  critical  assets 

Risk-based  approach  to  information  security  directs 
resources  to  protecting  the  organization's  most  critical 
assets 

Selection  of  assets  to  protect  is  often  left  to  judgment  or 
perceived  value 

CSFs  can  aid  in  identifying  an  organization's  critical 
assets— those  that  contribute  most  to  accomplishing  the 
organization's  mission 
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Critical  assets  example 


The  asset  “financial 
data”  is  important  for 
managing  compliance. 
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CSFs  and  security  requirements 

An  important  component  of  protecting  critical  assets 

Foundation  for  devising  an  appropriate  protection  strategy 
for  the  assets 

Prioritization  of  the  requirements  is  necessary  to 
determine  which  requirement,  if  unmet,  would  impact  the 
owner  of  the  asset  and  the  organization 

CSFs  can  aid  in  this  prioritization  of  requirements. 
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Security  requirements  example 
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CSFs  and  risk  identification  -1 

At  the  core  of  a  risk  management  approach  to  security 

Two  popular  means: 

■  Use  a  taxonomy  as  a  guide 

■  Rely  upon  organizational  judgment 

Both  methods  can  overlook  common  risks  or  risks  unique 
to  an  organization 

CSFs  can  sharpen  focus  on  important  risks 
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CSFs  and  risk  identification  -2 

Properly  focus  risk  identification  in  the  right  areas 

Shape  and  guide  the  knowledge  or  input  from  personnel 
in  the  organization 

Validate  and  prioritize  risks  that  have  been  identified 
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CSFs  and  measuring  risk 

Requires  evaluation  criteria 

Organization-based  criteria  likely  to  reflect  unique  drivers, 
but  not  guaranteed 

Criteria  can  be  validated  (to  ensure  alignment  with 
organizational  drivers)  by  comparison  to  the  organization's 
CSFs 
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Evaluation  criteria  example 
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CSFs  and  risk  mitigation 

Depends  on  prioritization  of  those  risks  that  most  impact 
the  organization 

The  organization  is  impacted  whenever  its  ability  to 
conduct  its  normal  course  of  business  is  impeded. 

Comparing  risks  to  CSFs  identifies  those  risks  that  are 
candidates  for  mitigation  because 

■  they  interfere  with  the  achievement  of  CSFs  and 

■  they  affect  other  organizational  drivers  (goals,  etc.) 
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Risk  mitigation  example 
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Enterprise  resiliency  -1 

Physical  property  of  a  material  that  allows  it  to 
spring  back  after  deformation  that  has  not 
exceeded  its  elastic  limit  [www.cogsci.princeton.edu] 

".  .  .ability  to  withstand  systemic  discontinuities" 

[Booz  Allen] 

.  .ability  to  adapt  to  new  risk  environments" 

[Booz  Allen] 


Source:  Booz  Allen  -  Enterprise  Resilience:  Managing  Risk  in  the  Networked  Economy 
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Enterprise  resiliency  -2 


1 


Resiliency 

Survivability 

Security 
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Summary  and  conclusions 

CSFs  relate  to  the  core  functions  of  management- 
planning,  organizing,  coordinating,  directing,  and 
controlling 

CSFs  are  essentially  a  management  tool  for  better  decision 
making  that  aligns  with  the  organization's  business  drivers 

CSFs  show  significant  promise  as  a  tool  for  improving 
enterprise  security  management  by  helping  to  ensure  that 
security  strategy  actually  enables  the  achievement  of  the 
organizational  mission 
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For  more  information 

Networked  Systems  Survivability  Program 
Software  Engineering  Institute 
Carnegie  Mellon  University 
4500  Fifth  Avenue 
Pittsburgh  PA  15213  USA 

http://www.cert.orQ 

http://www.sei.cmu.edu 

William  Wilson 
wrw@sei.cmu.edu 


©  2004  by  Carnegie  Mellon  University  Version  1.0 


page  41 


CarnegieMellon 

Software  Engineering  Institute 

Presentation  references 

John  F.  Rockhart,  "Chief  Executives  Define  Their  Own  Data 
Needs/'  Harvard  Business  Review,  (1979) 

John  F.  Rockhart  &  Bullen,  Christine  V,  "A  Primer  on  Critical 
Success  Factors,"  CISR  Working  Paper  No.  69,  June  1981. 

©  1981  Massachusetts  Institute  of  Technology.  Used  with 
permission. 

Randy  Staff,  Jim  Newfrock,  and  Michael  Delurey,  "Enterprise 
Resilience:  Managing  Risk  in  the  Networked  Economy," 
Enterprise  Resilience:  Risk  and  Security  in  the  Networked 
World,  2003  Booz  Allen  Hamilton;  www.strategy-business.com 


©  2004  by  Carnegie  Mellon  University 


Version  1.0 


page  42 


